A cyber-espionage toolset known as the Glimpse Project, used by the Iranian group APT34, was leaked online, providing deep insight into how this group operates and manages infected systems.

Who is behind the attack?

The group behind the Glimpse project is APT34 (also known as OilRig), which is linked to the Iranian government and known for long-term cyber operations across the Middle East.

What was the purpose of the attack?

The goal was to spy on strategic industries and government institutions by infecting systems, gathering intelligence, and maintaining long-term access via stealthy communication channels.

Victims primarily included financial institutions, government bodies, energy companies, and telecommunications firms, especially in the Middle East.

How did the attack work?

The attack began with a script to run a PowerShell payload that would communicate with the attackers over DNS. This covert channel allowed attackers to send commands and receive data without traditional network detection.

Why are these targets important?

The targeted sectors are crucial to national security and economic stability, making them valuable for espionage and strategic advantage.

What can organizations do to protect themselves?

Organizations should monitor DNS activity closely, log and analyze PowerShell usage, segment their networks, and apply regular security updates. Preventing unauthorized scripts and limiting DNS traffic can help stop similar threats.

Is this a widespread issue or a targeted one?

This campaign was targeted, focusing on specific industries and regions of strategic interest to Iran. However, the tools and techniques could be repurposed or reused more broadly.

Threats Feed|APT34|Last Updated 16/04/2025|AuthorCertfa Radar|Publish Date02/05/2019

APT34's Glimpse Project: Sophisticated Cyber Espionage in the Middle East

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Dropper,Fileless malware,Malware
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

Since at least 2014, APT34, has targeted financial, government, energy, chemical, telecommunications, and other industries in the Middle East. Their Glimpse project uses a file-based command and control structure, including a VBS launcher and a PowerShell payload, with covert channels over DNS. Tools leaked on a Telegram channel were linked to OilRig, confirming their use in multiple intrusions across the Middle East and Asia. The attacks include sophisticated PowerShell scripts for command execution and data exfiltration.

Reference and Credit: Marco Ramilli - May 2019

APT34: Glimpse project

Detected Targets

Type	Description	Confidence
Sector	Financial	High
Sector	Government Agencies and Services	High
Sector	Information Technology	High
Sector	Energy	High
Sector	Telecommunication	High
Region	Middle East Countries	High

FAQs

Understanding the APT34 “Glimpse” Project

: A cyber-espionage toolset known as the Glimpse Project, used by the Iranian group APT34, was leaked online, providing deep insight into how this group operates and manages infected systems.
: The group behind the Glimpse project is APT34 (also known as OilRig), which is linked to the Iranian government and known for long-term cyber operations across the Middle East.
: The goal was to spy on strategic industries and government institutions by infecting systems, gathering intelligence, and maintaining long-term access via stealthy communication channels.
: Victims primarily included financial institutions, government bodies, energy companies, and telecommunications firms, especially in the Middle East.
: The attack began with a script to run a PowerShell payload that would communicate with the attackers over DNS. This covert channel allowed attackers to send commands and receive data without traditional network detection.
: The targeted sectors are crucial to national security and economic stability, making them valuable for espionage and strategic advantage.
: Organizations should monitor DNS activity closely, log and analyze PowerShell usage, segment their networks, and apply regular security updates. Preventing unauthorized scripts and limiting DNS traffic can help stop similar threats.
: This campaign was targeted, focusing on specific industries and regions of strategic interest to Iran. However, the tools and techniques could be repurposed or reused more broadly.

About Affiliation

APT34

Associate threats